Suppose you have a PHP/MySQL user/session managing script which directs authorized users to a subdirectory for downloads. Is there any way to password protect the subdirectory that contains the actual download files without making it inacessible by the download script?
If the htaccess file could somehow recognize valid sessions or users in the database, that could possibly be passed through as part of the download URL... I can't think of any way to do that, though. Could the htaccess file be set to only allow access to that subdirectory if routed through the download script (which contains user authentication)? Do <Location> or <LocationMatch> work on the sending URL or the receiving URL?
The next best thing I can think of is to bury the download subdirectory deep in the directory structure with non-pronunceable directory names and place a blank index file in it. That should eliminate 99.99% of people stumbling across it, but why not strive for 100%?